Two former Twitter employees are facing federal charges for accepting bribes from Saudi Arabia in exchange for confidential information stolen from the accounts of thousands of users, most of whom are critics of the Saudi government. Authorities say the employees stole email and IP addresses, biographical information, log data and more, even though their jobs did not require access to such information.
The case highlights the risk of allowing employees to have unrestricted access to company data, including confidential personal information, trade secrets and intellectual property. Organizations that allow access to all company data are four times as likely to experience a data breach compared to those that limit access to what employees need for their jobs, according to a recent survey of IT managers conducted by Getapp.
Access control has always been a fundamental element of information security, but the process has become more complicated. An increasingly mobile, remote and collaborative workforce requires access to company data from beyond the office. This free flow of information increases the risk of data breaches, whether intentional or accidental.
In Egress’s 2020 Insider Data Breach Survey, 97 percent of IT leaders expressed concerns about the risk of insider data breaches. They are right to be concerned — 71 percent of employees admitted they have intentionally shared company information externally.
Despite the obvious risks, organizations aren’t doing enough to manage and control data access. In a recent survey from Netwrix Research Lab, 56 percent of IT professionals said that they don’t review access rights regularly, and 30 percent said they grant permissions based solely on user requests. Predictably, 38 percent reported that their organizations suffered a data breach in the previous 12 months.
While conventional perimeter security measures remain essential, organizations need to implement a variety of processes and tools that will allow them to strictly enforce data access controls. Consider these six steps:
Take inventory. Review your environment to determine what data you have, who’s responsible for it and which users may have access to it. Note that a “user” may not correlate to a specific person. Defunct and shared access credentials can be especially problematic.
Classify your data. Organizing data by owner, type, sensitivity and value can make it easier to establish access controls. Discovering, evaluating and tagging data also helps organizations meet a variety of regulatory compliance requirements.
Organize your file system. In order to control access, you’ll need to organize the files according to category and risk level and assign file and folder access permissions accordingly. This is not a “set and forget” process — files should be reviewed, moved, archived or deleted as appropriate throughout their lifecycle.
Establish processes. Give data owners the right and responsibility to determine which user roles are allowed access to their data. Establish workflows for requesting, granting and managing access, with separation of duties among multiple people. Review access privileges periodically to ensure they align with the user’s current role.
Enforce “least-privilege” access. Only give users access to the systems and resources they need to do their jobs. In addition to preventing intentional or accidental data exposure, least-privilege restrictions can help prevent threats from spreading through the network.
Use network access control. NAC solutions help organizations manage and control which users and what devices can access corporate networks based on policies, including endpoint configuration, authentication and user identity. In industry surveys, NAC consistently ranks as the most-trusted security technology on the market today.
Employees today need anytime/anywhere access to company data in order to do their jobs, but they don’t need access to everything. Allowing unrestricted data access greatly increases the risk of a data breach, whether intentional or accidental. RMM Solutions can help you evaluate your current data protection strategies and help you implement processes and tools to ensure appropriate levels of access control.